b'             OFFICE OF INSPECTOR GENERAL\n\n                         EVALUATION REPORT\n\n              FISCAL YEAR 2009 EVALUATION OF\n                NEA\xe2\x80\x99S COMPLIANCE WITH THE\n              FEDERAL INFORMATION SECURITY\n                  MANAGEMENT ACT OF 2002\n\n\n                          REPORT NO. R-10-02, rev. 2/26/10\n                              JANUARY 22, 2010\n\n\n\n\n                                    REPORT RELEASE RESTRICTION\n\nIn accordance with Public Law 110-409, The Inspector General Act of 2008, this report shall be posted on the National\nEndowment for the Arts (NEA) website not later than three (3) days after it is made publicly available with the\napproval of the NEA Office of Inspector General. Information contained in this report may be confidential. The\nrestrictions of 18 USC 1905 should be considered before this information is released to the public. Furthermore,\ninformation contained in this report should not be used for purposes other than those intended without prior\nconsultation with the NEA Office of Inspector General regarding its applicability.\n\x0c                                INTRODUCTION\nThe Federal Information Security Management Act of 2002 requires an annual evaluation\nby the Inspector General on its agency\xe2\x80\x99s information security programs and practices.\nThis report presents the results of our evaluation of NEA\xe2\x80\x99s information security program\nand practices for protecting its information technology (IT) infrastructure.\n\n\n                                 BACKGROUND\nThe Federal Information Security Management Act (FISMA) of 2002 was signed into law\non December 17, 2002. It replaced the Government Information Security Reform Act\n(GISRA), which expired in November 2002. The Act requires each federal agency to\ndevelop, document, and implement an agency-wide information security program to\nprovide information security over the operations and assets of the agency. This includes:\n\n       Periodic risk assessments;\n       Policies and procedures that are based on risk assessments;\n       Subordinate plans for providing adequate information security for networks,\n       facilities, information systems, or groups of information systems, as appropriate;\n       Security awareness training to inform employees (including contractors) of the\n       security risks associated with their activities and their responsibilities to comply\n       with those agency policies and procedures designed to reduce those risks;\n       Periodic testing and evaluation of the effectiveness of information security\n       policies;\n       A process for planning, implementing, evaluating, and documenting remedial\n       action to address any deficiencies in the information security policies, procedures,\n       and practices, of the agency;\n       Procedures for detecting, reporting, and responding to security incidents; and\n       Plans and procedures to ensure continuity of operations of the agency\xe2\x80\x99s\n       information systems.\n\n\nOffice of Management and Budget (OMB) Memorandum M-09-29, dated August 20,\n2009, entitled FY 2009 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, updates instructions to Senior\nAgency Officials for Privacy, Chief Information Officers and Inspectors General for\nreporting their 2009 information to OMB. Although the requirements changed little this\nyear, reporting was accomplished through an automated collection tool.\n\nThe National Institute of Standards and Technology (NIST), which has the responsibility\nfor developing technical standards and related guidance, has issued numerous\npublications including NIST Publication 800-12 An Introduction to Computer Security:\nThe NIST Handbook. This publication explains important concepts, cost considerations,\nand interrelationships of security controls as well as the benefits of such controls. NIST\n                                            2\n\x0calso has published a Guide for Developing Security Plans for Information Technology\nSystems; Special Publication 800-37, Guide for the Security Certification and\nAccreditation of Federal Information Systems; Special Publication 800-53,\nRecommended Security Controls for Federal Information Systems; and FIPS PUB 199,\nStandards for Security Categorization of Federal Information and Information Systems.\nIn addition, guidance is found in the Government Accountability Office publication,\nFederal Information System Controls Audit Manual (FISCAM).\n\nNEA\xe2\x80\x99s Office of Information and Technology Management (ITM) maintains and\noperates two of the Agency\xe2\x80\x99s three core systems on a local area network (LAN). These\nare the Grants Management System (GMS), which contains information on grant\napplications and the Automated Panel Bank System (APBS), which contains information\non panelists who review grant applications. NEA has contracted with the Department of\nTransportation Enterprise Service Center to host NEA\xe2\x80\x99s Financial Management System\n(FMS) through its Delphi Financial Management System. In addition, NEA operates\nsupport systems including electronic mail, and internet and intranet services.\n\nThe Chief Information Officer (CIO) is responsible for developing policies and\nprocedures to ensure that security is provided over NEA\xe2\x80\x99s networks.\n\n\n                         OBJECTIVE AND SCOPE\nThe objective of the evaluation was to determine the adequacy of NEA\xe2\x80\x99s information\ntechnology (IT) security program and practices. This included a review of NEA\xe2\x80\x99s IT\nsecurity policies and procedures and privacy management program. It also included\ninterviews with responsible agency officials managing the IT systems, and tests on the\neffectiveness of security controls.\n\n\n                           PRIOR EVALUATION\nThe NEA Office of Inspector General (OIG) issued a report entitled Fiscal Year 2008\nEvaluation of NEA\xe2\x80\x99s Compliance with the Federal Information Security Act of 2002\n(Report No. R-09-02) dated October 9, 2008. The report had six (6) recommendations, of\nwhich two, Recommendations Nos. 1 and 2 remained open at the time of our review.\nHowever, subsequent to the exit conference, ITM submitted documentation to the OIG\nconfirming the corrective action for Recommendation No. 1 was completed. Based on the\ndocumentation provided, the NEA Audit Follow-up Official cleared this recommendation.\n\nThe status of the remaining recommendation is summarized below.\n\nRecommendation No. 2\n\nITM should revise the Continuity of Operations Plan (COOP) to address the deficiencies\nnoted in the SeNet report.\n                                           3\n\x0cITM submitted a draft of the revised COOP addressing the deficiencies noted in the\nSeNet report; however, the draft did not include a list of Vital Records and Databases as\nrequired. This recommendation will remain open until ITM provides the OIG a\ncompleted and approved COOP.\n\n\n                          EVALUATION RESULTS\nThe FY 2009 evaluation concluded that there are several issues that need to be addressed\nby NEA\xe2\x80\x99s Office of Information and Technology Management. These issues are related\nto the Security Plan, ITM policies, the security certification and accreditation of the\ninformation network, reporting of Plans of Action and Milestones (POA&Ms) on the\nquarterly FISMA reports, inventory control and change management. Details are\npresented in the following narrative.\n\nSecurity Plan\nThe development of security plans are an important activity in an Agency\xe2\x80\x99s information\nsecurity system that directly supports the security accreditation process required under\nFISMA and OMB Circular A-130, Management of Federal Information Resources.\nSecurity plans should ensure that adequate security is provided for all Agency\ninformation collected, processed, stored, or disseminated in NEA\xe2\x80\x99s general support\nsystems and major applications.\n\nITM last revised the NEA Security Plan in June 2007. During our FY 2008 FISMA\nreview, we found the security plan had not been revised although there were several\nsystem changes which should have been incorporated. At that time, ITM informed us that\nthe Security Plan was being updated. During the current review, we again found that the\nSecurity Plan had not been updated. Subsequent to the exit conference, ITM informed us\nthat the security plan is being revised in accordance with federal guidelines and would\nalso encompass all ITM policies.\n\nWe recommend that ITM complete and approve the Security Plan as required by its\nStandard Procedures for Developing Information Technology Policies. A copy of the\napproved Security Plan should be provided to the OIG.\n\nITM Policies\n\nDuring the FY 2008 evaluation, we found ITM policies which (1) were not updated to\nreflect current security requirements, (2) did not include a date of issuance or (3) were\nissued without formal approvals. We recommended that ITM implement standard\nprocedures for developing policies to ensure that only approved policies are issued and\nthat those policies are made available to employees. ITM provided us a copy of the\n\xe2\x80\x9cStandard Procedures for Developing Information Technology Policies,\xe2\x80\x9d which are\n\n                                             4\n\x0cinstructions for developing ITM policies and making those policies available to\nemployees. The instructions were approved by the Chief Information Officer.\n\nDuring this evaluation, we determined that the instructions for developing ITM policies\nhad not been effectively implemented. We again found policies that were not approved,\nrevised or made available to employees. For example, ITM has several policies posted\non its intranet website; however, we found several inactive links for policies such as\nAudit & Accountability Policy and the Security Awareness Training Policy, both of\nwhich, according to ITM, are a part of the Security Plan. In some cases, policies on the\nintranet had not been updated.\n\nThe following policies should be revised and authorized per the ITM \xe2\x80\x9cStandard\nProcedures for Developing Information Technology Policies\xe2\x80\x9d:\n\n       Site Certification and Accreditation Policy\n       System Security Plan\n\nITM does not have policies for Inventory Controls and Contractor Security; therefore, we\nrecommend that ITM develop and implement policies addressing these areas. We also\nrecommend that ITM implement its standard procedures for developing all policies, and\nmake those policies available to employees.\n\nSecurity Certification and Accreditation (C&A)\nITM certified its Information Network supporting the National Endowment for the Arts\nin its March 2006 National Endowment for the Arts Information System Network Site\nCertification and Accreditation. The Network consists of the Grants Management\nSystem and Automated Panel Bank System. It is authorized to process information that\nis \xe2\x80\x9csensitive,\xe2\x80\x9d but unclassified. The NEA Information System Network is connected to\nthe National Finance Center (NFC) and the Department of Transportation \xe2\x80\x93 Federal\nAviation Administration \xe2\x80\x93 Aeronautical Center, Enterprise Service Center. The\naccreditation was valid for three years or until March 2009. As of our review in August\n2009, the C&A had not been performed.\n\nWe recommend that ITM perform the security certification and accreditation review on\nall its systems as required.\n\n\nNIST Self-Assessment and Plans of Action and Milestones (POA&Ms)\nAn external risk assessment was performed in FY 2008; therefore a self-assessment is not\nscheduled to be performed until December 2009. However, as part of our evaluation we\nreviewed the quarterly FISMA reports submitted to OMB. We reviewed the reports to\ndetermine whether ITM was reporting all its POA&Ms which were unresolved more than\n90 to 120 days beyond the planned remediation date) as required by OMB:\n\n                                            5\n\x0cWe noted that the following POA&Ms were reported during FY 2009:\n\n                          Number of POA&Ms\n       December 2008                0\n\n       March 2009                    3\n\n       June 2009                     1\nIn each case, the weaknesses were regarding the COOP. However, during our review we\nfound several unresolved POA&Ms which were more than the 90-120 days beyond the\nremediation period such as the revisions and/or approvals of policies. For instance, the\n\xe2\x80\x9cSecurity Plan\xe2\x80\x9d policy had not been updated and approved since the prior evaluation;\ntherefore it should have been reported on the quarterly FISMA report.\n\nWe recommend, as we have in prior reviews that ITM include all POA&Ms, which are\nmore than 90 days beyond the planned remediation date, in its quarterly FISMA report as\nrequired by the Office of Management and Budget.\n\n\nPrivacy Reporting and Privacy Impact Assessment\nThe 2009 FISMA guidance included additional questions on security and privacy\npolicies, which requires agencies to submit information on privacy issue allegations,\npolicies and the types of privacy reviews ITM conducted. OMB directed agencies to\nsubmit their most current documentation related to OMB Memorandum M-07-16, of\nMay 22, 2007, \xe2\x80\x9cSafeguarding Against and Responding to the Breach of Personally\nIdentifiable Information,\xe2\x80\x9d (PII). OMB Memorandum M-07-16 requires agencies to\nreview their use of SSNs, in agency systems and programs, in order to identify instances\nin which collection or use is superfluous.\n\nTo comply with the requirements above, NEA\xe2\x80\x99s ITM has:\n\n       Implemented PII policies regarding breach notification and rules of behavior;\n       Completed technical security assessments to evaluate the level of security\n       protecting NEA IT assets;\n       Reviewed PII holdings and updated the system of records notice to include OMB\n       recommended \xe2\x80\x9croutine uses\xe2\x80\x9d of PII language; and\n       Modified security orientation and privacy training for all NEA staff to include\n       responsibility to protect Agency information and technology assets.\n\nITM\xe2\x80\x99s review of PII holdings determined that NEA collects only PII that is relevant and\nnecessary for administrative purposes and determined that there are adequate\nadministrative, technical and physical safeguards in place for the PII collected. NEA\ndoes not use Social Security Numbers (SSNs), truncated SSNs, or any part of SSNs as\ntracking numbers for its applications, grants, cooperative agreements or contracts. NEA\n\n                                            6\n\x0cdoes not share PII with outside agencies other than for processing payments. ITM\nindicated there have been no reported breaches or security incidents involving PII\ncollected or maintained by the Agency. ITM also indicated that there were no changes to\nthe policy since the 2008 FISMA status report on PII and SSNs which was issued\nSeptember 18, 2008.\n\n\nIT Security and Privacy Awareness Training\nNIST Special Publications 800-50, Building an Information Technology Security\nAwareness and Training Program and 800-16, Information Technology Security Training\nRequirements: A Role- and Performance-Based Model, provide the standards for security\nawareness and training. ITM combined IT Security and Privacy Awareness Training in\nthe FY 2008 Annual Refresher Training. The FY 2009 annual training also included\nreporting computer incidents.\n\nWe obtained and reviewed the list of employees who had completed the FY 2009 security\nawareness training and determined that 98% of the staff completed the required Annual\nIT Security and Privacy Awareness Refresher training on security awareness and privacy\n(172 completed, 4 did not complete).\n\nInventory Controls\nNEA has an inventory of its hardware that was updated as of July 17, 2008. The\nperpetual inventory listing is maintained and updated as equipment is added or deleted.\nThe inventory lists each item by office, barcode number, serial number, manufacturer,\nmodel number and description, as well as the user. It also indicates the date the inventory\nwas taken and the initials of the person who took the inventory. During this review we\nwere advised the inventory for FY 2009 was in process. However, subsequent to our\nreview ITM provided the OIG a copy of the 2009 inventory.\n\nWe recommend that ITM develop policies and implement procedures to ensure that the\nITM inventory is completed annually.\n\n\nChange Management\nITM issued a Change Management Policy/Procedure in 2005. This policy \xe2\x80\x9cdescribes the\nresponsibilities, policies, and procedures to be followed by ITM when making changes or\nrecording events to the National Endowment for the Arts IT infrastructure.\xe2\x80\x9d It defines\n\xe2\x80\x9cchange\xe2\x80\x9d and \xe2\x80\x9cevent\xe2\x80\x9d as follows:\n\n   Change: to transform, alter, or modify the operating environment or standard operating\n   procedures; any modification that could have potential and/or significant impact on the\n   stability and reliability of the infrastructure and impacts conducting normal business\n   operation by our users and ITM; any interruption in building environments (i.e., electrical\n   outages) that may cause disruption to the IT infrastructure.\n                                                 7\n\x0c      Event: any activity outside of the normal operating procedures that could have a potential\n      and/or significant impact on the stability and reliability of the infrastructure, i.e. a request to\n      keep a system up during a normal shutdown period.\n\nThe change management process includes the submission of a change request form, with\nmanagement approval, to the Information System Security Officer (ISSO). During our\nFY 2008 evaluation, we noted that although there were changes made to the system, no\nrequest forms had been submitted to the ISSO. As a result, we recommended that ITM\nimplement procedures to ensure compliance with the NEA Change Management\nPolicy/Procedure. This year, we again requested copies of completed change\nmanagement request forms and found that no submissions had been made.\n\nWe recommend that ITM revise, approve and implement the NEA Change Management\nPolicy/Procedure as required by its Standard Procedures for Developing Information\nTechnology Policies. We also recommend that the CIO direct staff to adhere to those\nprocedures.\n\nDuring the exit conference, the CIO stated that he had directed the staff to adhere to the\nchange management policy on January 14, 2010.\n\n\n\nFinancial Management System\nNEA has an agreement with the U.S. Department of Transportation (DOT) to utilize the\nEnterprise Service Center\xe2\x80\x99s (ESC) Oracle Federal Financial System, Delphi, as their\nfinancial management system. OMB requires that such service organizations provide\nclient agencies with an independent report describing system controls. To comply with\nthis requirement, DOT OIG hired an independent contractor, Clifton Gunderson, LLP, to\nconduct a review on the computer controls over the information technology and data\nprocessing environment, as well as the input processing, and output controls built into the\nDelphi system.\n\nThe independent contractor rendered an opinion on the effectiveness of those controls for\nthe nine-month period from October 1, 2008 through June 30, 2009. The audit concluded\nthat \xe2\x80\x9cmanagement presented its description of ESC controls fairly in all material\nrespects\xe2\x80\x9d and that \xe2\x80\x9ccontrols, as described, were suitably designed for all stated control\nobjectives.\xe2\x80\x9d In addition, controls \xe2\x80\x9cwere operating with sufficient effectiveness to\nprovide reasonable, but not absolute, assurance that the control objectives specified by\nmanagement were achieved from October 1, 2008, through June 30, 2009. The\nexceptions are ineffective access controls and segregation of duties concerning the\nCASTLE1 system operations.\xe2\x80\x9d CASTLE is used to support DOT operations only.\n\n\n\n\n1\n    Consolidated Automated System for Time and Labor Entry (CASTLE).\n                                                      8\n\x0cPayroll System\nNEA uses the U.S. Department of Agriculture (USDA) National Finance Center as its\npayroll provider. In September 2009, the USDA OIG issued its Statement on Auditing\nStandards Number 70 Report, Review of the Department of Agriculture Office of the\nChief Financial Officer/National Finance Center (OCFO/NFC). The review concluded\nthat the OCFO/NFC\xe2\x80\x99s \xe2\x80\x9cdescription of controls presented fairly, in all material respects,\nthe relevant aspects of OCFO/NFC.\xe2\x80\x9d Also, in their opinion, \xe2\x80\x9cthe controls included in the\ndescription were suitably designed and operating with sufficient effectiveness to provide\nreasonable assurance that associated control objectives would be achieved if customer\nagencies and subservice organizations applied the controls contemplated in the design of\nNFC\xe2\x80\x99s controls.\xe2\x80\x9d There were no recommendations in the report.\n\n\n                            EXIT CONFERENCE\nAn exit conference was held with ITM officials on January 14, 2010. The officials\ngenerally concurred with our findings and recommendations and agreed to initiate\ncorrective actions.\n\n\n                           RECOMMENDATIONS\nWe recommend that the NEA Office of Information and Technology Management:\n\n       1. Complete corrective actions for Recommendation No. 2 in the FY 2008\n          FISMA Evaluation. ITM should provide the OIG a completed and approved\n          COOP.\n\n       2. Complete and approve the Security Plan as required by its Standard\n          Procedures for Developing Information Technology Policies. A copy of the\n          approved Security Plan should be provided to the OIG.\n\n       3. Implement its standard procedures for developing all policies as required by\n          the \xe2\x80\x9cStandard Procedures for Developing Information Technology Policies,\xe2\x80\x9d\n          make those policies available to employees.\n\n       4. Perform the security certification and accreditation review on all its systems\n          as required and update its C&A policy to reflect current ITM and federal\n          requirements.\n\n       5. Include all Plans of Action and Milestones (POA&Ms), which are more than\n          90 days beyond the planned remediation date, in its quarterly FISMA report as\n          required by the Office of Management and Budget.\n\n\n\n                                            9\n\x0c6. Develop policies and implement procedures to ensure that the ITM inventory\n   is completed annually.\n\n7. Approve and implement the NEA Change Management Policy/Procedure as\n   required by its Standard Procedures for Developing Information Technology\n   Policies.\n\n\n\n\n                                  10\n\x0c'